projects / prosody.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Improved the regexp used to parse the client response a bit. Authenticating with...
[prosody.git] / util / sasl.lua
1
2 local md5 = require "util.hashes".md5;
3 local log = require "util.logger".init("sasl");
4 local tostring = tostring;
5 local st = require "util.stanza";
6 local generate_uuid = require "util.uuid".generate;
7 local s_match = string.match;
8 local gmatch = string.gmatch
9 local string = string
10 local math = require "math"
11 local type = type
12 local error = error
13 local print = print
14
15 module "sasl"
16
17 local function new_plain(realm, password_handler)
18         local object = { mechanism = "PLAIN", realm = realm, password_handler = password_handler}
19         function object.feed(self, message)
20         
21                 if message == "" or message == nil then return "failure", "malformed-request" end
22                 local response = message
23                 local authorization = s_match(response, "([^&%z]+)")
24                 local authentication = s_match(response, "%z([^&%z]+)%z")
25                 local password = s_match(response, "%z[^&%z]+%z([^&%z]+)")
26                 
27                 if authentication == nil or password == nil then return "failure", "malformed-request" end
28                 
29                 local password_encoding, correct_password = self.password_handler(authentication, self.realm, "PLAIN")
30                 
31                 if correct_password == nil then return "failure", "not-authorized"
32                 elseif correct_password == false then return "failure", "account-disabled" end
33                 
34                 local claimed_password = ""
35                 if password_encoding == nil then claimed_password = password
36                 else claimed_password = password_encoding(password) end
37                 
38                 self.username = authentication
39                 if claimed_password == correct_password then
40                         return "success"
41                 else
42                         return "failure", "not-authorized"
43                 end
44         end
45         return object
46 end
47
48 local function new_digest_md5(realm, password_handler)
49         --TODO maybe support for authzid
50
51         local function serialize(message)
52                 local data = ""
53                 
54                 if type(message) ~= "table" then error("serialize needs an argument of type table.") end
55                 
56                 -- testing all possible values
57                 if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end
58                 if message["qop"] then data = data..[[qop="]]..message.qop..[[",]] end
59                 if message["charset"] then data = data..[[charset=]]..message.charset.."," end
60                 if message["algorithm"] then data = data..[[algorithm=]]..message.algorithm.."," end
61                 if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end
62                 if message["rspauth"] then data = data..[[rspauth=]]..message.rspauth.."," end
63                 data = data:gsub(",$", "")
64                 return data
65         end
66         
67         local function parse(data)
68                 message = {}
69                 for k, v in gmatch(data, [[([%w%-]+)="?([^",]*)"?,?]]) do
70                         message[k] = v
71                 end
72                 return message
73         end
74
75         local object = { mechanism = "DIGEST-MD5", realm = realm, password_handler = password_handler}
76         
77         --TODO: something better than math.random would be nice, maybe OpenSSL's random number generator
78         object.nonce = generate_uuid()
79         object.step = 0
80         object.nonce_count = {}
81                                                                                                 
82         function object.feed(self, message)
83                 self.step = self.step + 1
84                 if (self.step == 1) then
85                         local challenge = serialize({   nonce = object.nonce, 
86                                                                                         qop = "auth",
87                                                                                         charset = "utf-8",
88                                                                                         algorithm = "md5-sess",
89                                                                                         realm = self.realm});
90                         return "challenge", challenge
91                 elseif (self.step == 2) then
92                         local response = parse(message)
93                         -- check for replay attack
94                         if response["nc"] then
95                                 if self.nonce_count[response["nc"]] then return "failure", "not-authorized" end
96                         end
97                         
98                         -- check for username, it's REQUIRED by RFC 2831
99                         if not response["username"] then
100                                 return "failure", "malformed-request"
101                         end
102                         self["username"] = response["username"] 
103                         
104                         -- check for nonce, ...
105                         if not response["nonce"] then
106                                 return "failure", "malformed-request"
107                         else
108                                 -- check if it's the right nonce
109                                 if response["nonce"] ~= tostring(self.nonce) then return "failure", "malformed-request" end
110                         end
111                         
112                         if not response["cnonce"] then return "failure", "malformed-request", "Missing entry for cnonce in SASL message." end
113                         if not response["qop"] then response["qop"] = "auth" end
114                         
115                         if response["realm"] == nil then response["realm"] = "" end
116                         
117                         local domain = ""
118                         local protocol = ""
119                         if response["digest-uri"] then
120                                 protocol, domain = response["digest-uri"]:match("(%w+)/(.*)$")
121                                 if protocol == nil or domain == nil then return "failure", "malformed-request" end
122                         else
123                                 return "failure", "malformed-request", "Missing entry for digest-uri in SASL message."
124                         end
125                         
126                         --TODO maybe realm support
127                         self.username = response["username"]
128                         local password_encoding, Y = self.password_handler(response["username"], response["realm"], "DIGEST-MD5")
129                         if Y == nil then return "failure", "not-authorized"
130                         elseif Y == false then return "failure", "account-disabled" end
131                         
132                         local A1 = Y..":"..response["nonce"]..":"..response["cnonce"]--:authzid
133                         local A2 = "AUTHENTICATE:"..protocol.."/"..domain
134                         
135                         local HA1 = md5(A1, true)
136                         local HA2 = md5(A2, true)
137                         
138                         local KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2
139                         local response_value = md5(KD, true)
140                         
141                         if response_value == response["response"] then
142                                 -- calculate rspauth
143                                 A2 = ":"..protocol.."/"..domain
144                                 
145                                 HA1 = md5(A1, true)
146                                 HA2 = md5(A2, true)
147         
148                                 KD = HA1..":"..response["nonce"]..":"..response["nc"]..":"..response["cnonce"]..":"..response["qop"]..":"..HA2
149                                 local rspauth = md5(KD, true)
150                                 self.authenticated = true
151                                 return "challenge", serialize({rspauth = rspauth})
152                         else
153                                 return "failure", "not-authorized", "The response provided by the client doesn't match the one we calculated."
154                         end                                                     
155                 elseif self.step == 3 then
156                         if self.authenticated ~= nil then return "success"
157                         else return "failure", "malformed-request" end
158                 end
159         end
160         return object
161 end
162
163 function new(mechanism, realm, password_handler)
164         local object
165         if mechanism == "PLAIN" then object = new_plain(realm, password_handler)
166         elseif mechanism == "DIGEST-MD5" then object = new_digest_md5(realm, password_handler)
167         else
168                 log("debug", "Unsupported SASL mechanism: "..tostring(mechanism));
169                 return nil
170         end
171         return object
172 end
173
174 return _M;